Healthcare Sector: Increasingly Vulnerable to Cyber Attacks

TLP: WHITE | Patients’ and employees’ medical, personal, and financial data are increasingly attractive to cyber criminals because of the elevated value of healthcare data on the black market, as well as the health sector’s rapid transition to electronic health records and patchy security standards. Last year, the healthcare sector accounted for roughly 40% of reported data breaches in the United States, and so far this year, the sector accounts for an overwhelming majority of compromised records, according to the Identity Theft Resource Center.

In February, the US’s second largest health insurer, Anthem, revealed that the personal information of nearly 80 million customers and employees was compromised in a cyber attack. The following month, Premera Blue Cross reported a breach of 11 million customers’ financial and medical records. Western media attributes both breaches to state-sponsored Chinese espionage groups.

Many healthcare networks consist of tens of thousands of computers, tablets, and smartphones, in addition to thousands of internet-connected medical devices such as radiology machines, patient monitors, and laboratory equipment—which increases an organization’s attack surface. Cybersecurity firms report that stolen health data can sell for $20 to $50 per record in online black markets, as compared to social security and credit card numbers, which yield only about $1 to $2 each. These figures underscore the strong profit motive for cyber criminals.

As a result of industry-wide intrusions, effective 1 August 2015, healthcare insurers in New Jersey will be required to encrypt all personal data stored on computer systems or transmitted across public networks—a move that goes beyond current standards set forth by the Health Insurance Portability and Accountability Act (HIPAA), which does not mandate encryption.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.